1
0

Fix 'all' in the SOURCE of DNAT- rules

This commit is contained in:
Tom Eastep 2009-05-02 13:23:29 -07:00
parent 2aecb9ac12
commit 3e0a55f072
3 changed files with 9 additions and 2 deletions

View File

@ -1453,7 +1453,7 @@ sub process_rule ( $$$$$$$$$$$$ ) {
}
} else {
my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
$destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
if ( $intrazone || ( $zone ne $destzone ) ) {
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
}

View File

@ -8,7 +8,10 @@ Changes in Shorewall 4.3.10
4) Fix handling of class IDs.
5) Deprecate use of an interface in the SOURCE column of /etc/shorewall/masq.
5) Deprecate use of an interface in the SOURCE column of
/etc/shorewall/masq.
6) Fix handling of 'all' in the SOURCE of DNAT- rules.
Changes in Shorewall 4.3.9

View File

@ -85,6 +85,10 @@ released late in 2009.
the correct sequence was "...8,9,a,b,...". Shorewall now treats
class IDs as hex, like 'tc' and 'iptables' do.
3. Previously, when 'all' appeared in the SOURCE column of a DNAT-
rule, no rule was generated to redirect output from the firewall
itself.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------